Groups: ad firm used by ISPs spies on users

A targeted advertising vendor being used by several US broadband providers hijacks browsers, spies on users and employs man-in-the-middle attacks, according to a report released by two advocacy groups.

NebuAd, a behavioural advertising vendor being used by Charter Communications, WideOpenWest and other internet service providers, uses also packet forgery, modifies the content of TCP/IP packets and loads subscribers' computers with unwanted cookies, according to the report, released by Public Knowledge and Free Press, two Washington, DC, groups focused on digital rights.

"NebuAd exploits several forms of 'attack' on users' and applications' security," wrote report author Robert Topolski, chief technology consultant for the two groups. "These practices — committed upon users with the paid-for cooperation of ISPs — violate several fundamental expectations of internet privacy, security and standards-based interoperability."

A Charter Communications representative didn't immediately respond to a request for comment on the Topolski report. Charter, in late May, issued a statement saying it was working with concerned lawmakers to address concerns about the targeted ad service.

"Charter takes the responsibility of protecting its customers' information seriously," the company said in a May statement. "We look forward to maintaining an open communication with policymakers to alleviate any concerns."

NebuAd called the report "misleading". The company places cookies on users' machines "using industry-standard techniques for standard ad serving purposes," NebuAd said in a statement.

NebuAd also allows users to opt out of the company's information-collection efforts, the company noted.

"We take issue with the inaccurate statements made in reference to NebuAd’s consumer privacy standards and apparent disregard for the controls and policies we have in place to inform and protect internet subscribers," NebuAd's statement said. "Transparency and consumer privacy protection are core to our business. Reasonable review of materials that have been made available online would have educated the organisation that NebuAd requires its ISP partners to provide robust notice to their subscribers prior to deployment of the service.”

Charter Communications, a cable television and internet provider based in St. Louis, announced in May that it was planning to use NebuAd to roll out a targeted ad programme that would track users' web activity in order to deliver "relevant" ads. That announcement by Charter, the fourth largest cable operator in the US, sparked calls for an investigation by several privacy and consumer groups.

Two members of the US House of Representatives Energy and Commerce Committee, Representatives Ed Markey, a Massachusetts Democrat, and Joe Barton, a Texas Republican, wrote to Charter in mid-May, asking the company to delay rollout of the plan until they could have a discussion about the proposal.

Any collection of cable subscribers' personal data without their consent "raises substantial questions" about whether it is legal under the Communications Act, the two congressmen wrote.

Topolski, in his report, says he tested a connection on WideOpenWest in late May and early June. NebuAd's service injected new script into his browser session, preloaded identifying cookies on his machine, and monitored his browsing, he wrote.

Topolski compared NebuAd's methods to browser hijacking, cross-site scripting and other forms of computer attacks. NebuAd is engaged in "eavesdropping on the content of web messages as they were being sent and received," he wrote.

"This report shows that NebuAd's internet wiretapping is highly questionable," Marvin Ammori, Free Press general counsel, said in a statement. "Phone and cable companies should press pause on NebuAd and any similar venture until consumers and members of Congress can address the serious concerns raised by this report."

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.